Guide to Implementing the NIST Cybersecurity Framework

Data breaches and cyberattacks are becoming more and more common, causing many organizations to increase their spending on cybersecurity. But even with an increased security budget, cyberattacks continue to put important business systems at risk. To help overcome this problem, US President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, calling for the creation of a voluntary, risk-based framework for improving cybersecurity. In response to the EO, the National Institute of Standards and Technology (NIST) led the development of the Cybersecurity Framework (CSF). Input from industry, such as owners and operators of critical infrastructure, was a significant part of the development. Many organizations recommended ISACA’s COBIT as a good example of a cross-sector security framework and guideline that is technology neutral and addresses cyber risks. Since its release, organizations have been able to use the CSF to help them implement security measures. The new ISACA guide on Implementing the NIST Cybersecurity Framework helps organizations in this process by describing how to use existing ISACA methods to effectively implement the CSF.

As a participant in the development of the CSF, ISACA helped incorporate key principles from the COBIT framework. Since these COBIT principles are embedded in the Cybersecurity Framework, organizations can use COBIT processes to seamlessly and effectively implement the CSF. Though the CSF does not recommend specific methods to meet the intended objectives, the ISACA guide acts as an extension to the CSF, providing recommended methods for applying CSF concepts. Specifically, the ISACA guide aligns to each CSF step, and provides organizations with COBIT activities and processes that can be used when implementing the CSF. Additionally, ISACA provides a toolkit containing templates for planning, assessing and recording CSF activities. Because the COBIT processes suggested in the ISACA guide have been proven through years of ISACA success, this approach provides organizations with an effective, measurable way to implement the CSF, and improve their cybersecurity program.

As directed by the EO, the CSF provides a prioritized, flexible and cost-effective approach to address cybersecurity. Applying that framework using proven ISACA methods will help you enable your enterprise to achieve effective governance and management, which benefits its stakeholders.

Kristen LeClere
Security Engineer, G2 Inc.

[Source: ISACA]